Merge branch 'main' into path-sensitive-stack-variable-reachability-analysis

2026-05-01 03:35:13 +02:00 · 2021-07-12 14:46:44 +02:00
parent fd477383b0 c47d680d65
commit be06230b43
2217 changed files with 205623 additions and 29266 deletions
--- a/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -181,14 +181,14 @@ private int getEndOfColumnPosition(int start, string content) {
    min(string name, int cand |
      exists(TNamedColumn(name)) and
      cand = content.indexOf(name + ":") and
-      cand > start
+      cand >= start
    |
      cand
    )
  or
  not exists(string name |
    exists(TNamedColumn(name)) and
-    content.indexOf(name + ":") > start
+    content.indexOf(name + ":") >= start
  ) and
  result = content.length()
 }
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -58,29 +58,29 @@ edges
 | aliasing.cpp:98:3:98:21 | Chi [m1] | aliasing.cpp:100:14:100:14 | Store [m1] |
 | aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:3:98:21 | Chi [m1] |
 | aliasing.cpp:100:14:100:14 | Store [m1] | aliasing.cpp:102:8:102:10 | * ... |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] |
-| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Chi [array content] |
-| aliasing.cpp:121:15:121:16 | Chi [array content] | aliasing.cpp:122:8:122:12 | access to array |
-| aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | aliasing.cpp:121:15:121:16 | Chi [array content] |
-| aliasing.cpp:131:15:131:16 | Chi [array content] | aliasing.cpp:132:8:132:14 | * ... |
-| aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [array content] | aliasing.cpp:131:15:131:16 | Chi [array content] |
-| aliasing.cpp:136:15:136:17 | Chi [array content] | aliasing.cpp:137:8:137:11 | * ... |
-| aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [array content] | aliasing.cpp:136:15:136:17 | Chi [array content] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [[]] |
+| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Chi [[]] |
+| aliasing.cpp:121:15:121:16 | Chi [[]] | aliasing.cpp:122:8:122:12 | access to array |
+| aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [[]] | aliasing.cpp:121:15:121:16 | Chi [[]] |
+| aliasing.cpp:131:15:131:16 | Chi [[]] | aliasing.cpp:132:8:132:14 | * ... |
+| aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [[]] | aliasing.cpp:131:15:131:16 | Chi [[]] |
+| aliasing.cpp:136:15:136:17 | Chi [[]] | aliasing.cpp:137:8:137:11 | * ... |
+| aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [[]] | aliasing.cpp:136:15:136:17 | Chi [[]] |
 | aliasing.cpp:175:15:175:22 | Chi | aliasing.cpp:175:15:175:22 | Chi [m1] |
 | aliasing.cpp:175:15:175:22 | Chi [m1] | aliasing.cpp:176:13:176:14 | m1 |
-| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | aliasing.cpp:175:15:175:22 | Chi |
+| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [[]] | aliasing.cpp:175:15:175:22 | Chi |
 | aliasing.cpp:187:15:187:22 | Chi | aliasing.cpp:187:15:187:22 | Chi [m1] |
 | aliasing.cpp:187:15:187:22 | Chi [m1] | aliasing.cpp:188:13:188:14 | Store [m1] |
-| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | aliasing.cpp:187:15:187:22 | Chi |
+| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [[]] | aliasing.cpp:187:15:187:22 | Chi |
 | aliasing.cpp:188:13:188:14 | Store [m1] | aliasing.cpp:189:15:189:16 | m1 |
 | aliasing.cpp:200:15:200:24 | Chi | aliasing.cpp:200:15:200:24 | Chi [m1] |
 | aliasing.cpp:200:15:200:24 | Chi [m1] | aliasing.cpp:201:15:201:16 | m1 |
-| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | aliasing.cpp:200:15:200:24 | Chi |
+| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [[]] | aliasing.cpp:200:15:200:24 | Chi |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... |
@@ -108,32 +108,32 @@ edges
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Chi [a] |
-| by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] |
-| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Chi [array content] |
-| by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] |
-| by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] |
-| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Chi [array content] |
+| by_reference.cpp:92:3:92:20 | Chi [[]] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [[]] |
+| by_reference.cpp:92:3:92:20 | Chi [[]] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [[]] |
+| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Chi [[]] |
+| by_reference.cpp:96:3:96:19 | Chi [[]] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [[]] |
+| by_reference.cpp:96:3:96:19 | Chi [[]] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [[]] |
+| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Chi [[]] |
 | by_reference.cpp:102:21:102:39 | Chi [a] | by_reference.cpp:110:27:110:27 | a |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:21:102:39 | Chi [a] |
 | by_reference.cpp:104:15:104:22 | Chi | by_reference.cpp:104:15:104:22 | Chi [a] |
 | by_reference.cpp:104:15:104:22 | Chi [a] | by_reference.cpp:112:14:112:14 | a |
-| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | by_reference.cpp:104:15:104:22 | Chi |
+| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [[]] | by_reference.cpp:104:15:104:22 | Chi |
 | by_reference.cpp:106:21:106:41 | Chi [a] | by_reference.cpp:114:29:114:29 | a |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:106:21:106:41 | Chi [a] |
 | by_reference.cpp:108:15:108:24 | Chi | by_reference.cpp:108:15:108:24 | Chi [a] |
 | by_reference.cpp:108:15:108:24 | Chi [a] | by_reference.cpp:116:16:116:16 | a |
-| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | by_reference.cpp:108:15:108:24 | Chi |
+| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [[]] | by_reference.cpp:108:15:108:24 | Chi |
 | by_reference.cpp:122:21:122:38 | Chi [a] | by_reference.cpp:130:27:130:27 | a |
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:21:122:38 | Chi [a] |
 | by_reference.cpp:124:15:124:21 | Chi | by_reference.cpp:124:15:124:21 | Chi [a] |
 | by_reference.cpp:124:15:124:21 | Chi [a] | by_reference.cpp:132:14:132:14 | a |
-| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | by_reference.cpp:124:15:124:21 | Chi |
+| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [[]] | by_reference.cpp:124:15:124:21 | Chi |
 | by_reference.cpp:126:21:126:40 | Chi [a] | by_reference.cpp:134:29:134:29 | a |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:126:21:126:40 | Chi [a] |
 | by_reference.cpp:128:15:128:23 | Chi | by_reference.cpp:128:15:128:23 | Chi [a] |
 | by_reference.cpp:128:15:128:23 | Chi [a] | by_reference.cpp:136:16:136:16 | a |
-| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | Chi |
+| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [[]] | by_reference.cpp:128:15:128:23 | Chi |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:42:16:42:16 | f indirection [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | f indirection [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
@@ -304,29 +304,29 @@ nodes
 | aliasing.cpp:98:10:98:19 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:100:14:100:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:102:8:102:10 | * ... | semmle.label | * ... |
-| aliasing.cpp:106:3:106:20 | Chi [array content] | semmle.label | Chi [array content] |
+| aliasing.cpp:106:3:106:20 | Chi [[]] | semmle.label | Chi [[]] |
 | aliasing.cpp:106:9:106:18 | call to user_input | semmle.label | call to user_input |
-| aliasing.cpp:121:15:121:16 | Chi [array content] | semmle.label | Chi [array content] |
-| aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:121:15:121:16 | Chi [[]] | semmle.label | Chi [[]] |
+| aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:122:8:122:12 | access to array | semmle.label | access to array |
-| aliasing.cpp:131:15:131:16 | Chi [array content] | semmle.label | Chi [array content] |
-| aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:131:15:131:16 | Chi [[]] | semmle.label | Chi [[]] |
+| aliasing.cpp:131:15:131:16 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:132:8:132:14 | * ... | semmle.label | * ... |
-| aliasing.cpp:136:15:136:17 | Chi [array content] | semmle.label | Chi [array content] |
-| aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:136:15:136:17 | Chi [[]] | semmle.label | Chi [[]] |
+| aliasing.cpp:136:15:136:17 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:137:8:137:11 | * ... | semmle.label | * ... |
 | aliasing.cpp:175:15:175:22 | Chi | semmle.label | Chi |
 | aliasing.cpp:175:15:175:22 | Chi [m1] | semmle.label | Chi [m1] |
-| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:176:13:176:14 | m1 | semmle.label | m1 |
 | aliasing.cpp:187:15:187:22 | Chi | semmle.label | Chi |
 | aliasing.cpp:187:15:187:22 | Chi [m1] | semmle.label | Chi [m1] |
-| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:188:13:188:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:189:15:189:16 | m1 | semmle.label | m1 |
 | aliasing.cpp:200:15:200:24 | Chi | semmle.label | Chi |
 | aliasing.cpp:200:15:200:24 | Chi [m1] | semmle.label | Chi [m1] |
-| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | aliasing.cpp:201:15:201:16 | m1 | semmle.label | m1 |
 | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array |
@@ -360,20 +360,20 @@ nodes
 | by_reference.cpp:84:14:84:23 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:88:3:88:24 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input |
-| by_reference.cpp:92:3:92:20 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:92:3:92:20 | Chi [[]] | semmle.label | Chi [[]] |
 | by_reference.cpp:92:9:92:18 | call to user_input | semmle.label | call to user_input |
-| by_reference.cpp:96:3:96:19 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:96:3:96:19 | Chi [[]] | semmle.label | Chi [[]] |
 | by_reference.cpp:96:8:96:17 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:102:21:102:39 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:104:15:104:22 | Chi | semmle.label | Chi |
 | by_reference.cpp:104:15:104:22 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | by_reference.cpp:106:21:106:41 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
 | by_reference.cpp:108:15:108:24 | Chi | semmle.label | Chi |
 | by_reference.cpp:108:15:108:24 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [[]] | semmle.label | taint_a_ptr output argument [[]] |
 | by_reference.cpp:110:27:110:27 | a | semmle.label | a |
 | by_reference.cpp:112:14:112:14 | a | semmle.label | a |
 | by_reference.cpp:114:29:114:29 | a | semmle.label | a |
@@ -382,12 +382,12 @@ nodes
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:124:15:124:21 | Chi | semmle.label | Chi |
 | by_reference.cpp:124:15:124:21 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
+| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [[]] | semmle.label | taint_a_ref output argument [[]] |
 | by_reference.cpp:126:21:126:40 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:128:15:128:23 | Chi | semmle.label | Chi |
 | by_reference.cpp:128:15:128:23 | Chi [a] | semmle.label | Chi [a] |
-| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
+| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [[]] | semmle.label | taint_a_ref output argument [[]] |
 | by_reference.cpp:130:27:130:27 | a | semmle.label | a |
 | by_reference.cpp:132:14:132:14 | a | semmle.label | a |
 | by_reference.cpp:134:29:134:29 | a | semmle.label | a |
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -5925,7 +5925,7 @@ ir.cpp:
 #  705|     getStmt(0): [ReturnStmt] return ...
 #  705|       getExpr(): [ConditionalExpr] ... ? ... : ...
 #  705|           Type = [UnknownType] unknown
-#  705|           ValueCategory = prvalue
+#  705|           ValueCategory = prvalue(load)
 #  705|         getCondition(): [LTExpr] ... < ...
 #  705|             Type = [UnknownType] unknown
 #  705|             ValueCategory = prvalue
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -59,20 +59,20 @@ edges
 | test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:2:247:8 | local_size |
 | test.cpp:245:2:245:9 | local_size | test.cpp:224:23:224:23 | s |
 | test.cpp:247:2:247:8 | local_size | test.cpp:230:21:230:21 | s |
-| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:289:17:289:20 | get_size output argument [array content] |
-| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:305:18:305:21 | get_size output argument [array content] |
-| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [array content] |
-| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [array content] |
+| test.cpp:251:2:251:32 | Chi [[]] | test.cpp:289:17:289:20 | get_size output argument [[]] |
+| test.cpp:251:2:251:32 | Chi [[]] | test.cpp:305:18:305:21 | get_size output argument [[]] |
+| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [[]] |
+| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [[]] |
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
 | test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
-| test.cpp:289:17:289:20 | get_size output argument [array content] | test.cpp:289:17:289:20 | Chi |
+| test.cpp:289:17:289:20 | get_size output argument [[]] | test.cpp:289:17:289:20 | Chi |
 | test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
 | test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
-| test.cpp:305:18:305:21 | get_size output argument [array content] | test.cpp:305:18:305:21 | Chi |
+| test.cpp:305:18:305:21 | get_size output argument [[]] | test.cpp:305:18:305:21 | Chi |
 nodes
 | test.cpp:40:21:40:24 | argv | semmle.label | argv |
 | test.cpp:40:21:40:24 | argv | semmle.label | argv |
@@ -136,7 +136,7 @@ nodes
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:245:2:245:9 | local_size | semmle.label | local_size |
 | test.cpp:247:2:247:8 | local_size | semmle.label | local_size |
-| test.cpp:251:2:251:32 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:251:2:251:32 | Chi [[]] | semmle.label | Chi [[]] |
 | test.cpp:251:2:251:32 | ChiPartial | semmle.label | ChiPartial |
 | test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:251:18:251:31 | (const char *)... | semmle.label | (const char *)... |
@@ -146,12 +146,12 @@ nodes
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:289:17:289:20 | Chi | semmle.label | Chi |
-| test.cpp:289:17:289:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:289:17:289:20 | get_size output argument [[]] | semmle.label | get_size output argument [[]] |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:305:18:305:21 | Chi | semmle.label | Chi |
-| test.cpp:305:18:305:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:305:18:305:21 | get_size output argument [[]] | semmle.label | get_size output argument [[]] |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,9 +1,68 @@
-| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
-| test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
+edges
+| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
+| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
+| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:2:27:11 | v |
+| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:2:27:11 | v |
+| test2.cpp:27:2:27:11 | v | test2.cpp:12:21:12:21 | v |
+| test5.cpp:9:7:9:9 | buf | test5.cpp:10:9:10:27 | Store |
+| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:10:9:10:27 | Store |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:18:6:18:18 | call to getTaintedInt |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+nodes
+| test2.cpp:12:21:12:21 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
+| test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
+| test2.cpp:27:2:27:11 | v | semmle.label | v |
+| test5.cpp:9:7:9:9 | buf | semmle.label | buf |
+| test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
+| test5.cpp:10:9:10:27 | Store | semmle.label | Store |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test.c:11:29:11:32 | argv | semmle.label | argv |
+| test.c:11:29:11:32 | argv | semmle.label | argv |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:41:17:41:20 | argv | semmle.label | argv |
+| test.c:41:17:41:20 | argv | semmle.label | argv |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:51:17:51:20 | argv | semmle.label | argv |
+| test.c:51:17:51:20 | argv | semmle.label | argv |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+#select
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
+| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
+| test.c:44:7:44:10 | len2 | test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
+| test.c:54:7:54:10 | len3 | test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -22,20 +22,20 @@ edges
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
-| test.cpp:13:2:13:15 | Chi [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
-| test.cpp:18:2:18:14 | Chi [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
+| test.cpp:13:2:13:15 | Chi [[]] | test.cpp:30:13:30:14 | get_rand2 output argument [[]] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [[]] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [[]] |
+| test.cpp:18:2:18:14 | Chi [[]] | test.cpp:36:13:36:13 | get_rand3 output argument [[]] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [[]] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [[]] |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
 | test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | test.cpp:30:13:30:14 | Chi |
+| test.cpp:30:13:30:14 | get_rand2 output argument [[]] | test.cpp:30:13:30:14 | Chi |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi |
+| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
@@ -65,11 +65,11 @@ nodes
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
-| test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:13:2:13:15 | Chi [[]] | semmle.label | Chi [[]] |
 | test.cpp:13:2:13:15 | ChiPartial | semmle.label | ChiPartial |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
-| test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:18:2:18:14 | Chi [[]] | semmle.label | Chi [[]] |
 | test.cpp:18:2:18:14 | ChiPartial | semmle.label | ChiPartial |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
@@ -78,12 +78,12 @@ nodes
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:30:13:30:14 | Chi | semmle.label | Chi |
-| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | semmle.label | get_rand2 output argument [array content] |
+| test.cpp:30:13:30:14 | get_rand2 output argument [[]] | semmle.label | get_rand2 output argument [[]] |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
-| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | semmle.label | get_rand3 output argument [array content] |
+| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | semmle.label | get_rand3 output argument [[]] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -3,12 +3,12 @@

 int rand(void);
 void trySlice(int start, int end);
+void add_100(int);

 #define RAND() rand()
 #define RANDN(n) (rand() % n)
 #define RAND2() (rand() ^ rand())
-
-
+#define RAND_MAX 32767



@@ -99,4 +99,14 @@ void randomTester() {
    *ptr_r = RAND();
    r -= 100; // BAD
  }
+
+  {
+    int r = rand();
+    r = ((2.0 / (RAND_MAX + 1)) * r - 1.0);
+    add_100(r);
+  }
 }
+
+void add_100(int r) {
+  r += 100; // GOOD
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,13 +1,16 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:49:4:49:24 | call to my_des_implementation | call to my_des_implementation |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:62:33:62:40 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:124:4:124:24 | call to my_des_implementation | call to my_des_implementation |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:144:27:144:29 | DES | access of enum constant DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:172:28:172:35 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:175:28:175:34 | USE_DES | access of enum constant USE_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:182:38:182:45 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:185:38:185:44 | USE_DES | access of enum constant USE_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:238:2:238:20 | call to encrypt | call to encrypt |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:245:5:245:11 | call to encrypt | call to encrypt |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:64:33:64:40 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:66:31:66:38 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:128:4:128:24 | call to my_des_implementation | call to my_des_implementation |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:148:27:148:29 | DES | access of enum constant DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:186:38:186:45 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:189:38:189:44 | USE_DES | access of enum constant USE_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:242:2:242:20 | call to encrypt | call to encrypt |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:249:5:249:11 | call to encrypt | call to encrypt |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:304:20:304:37 | call to desEncryptor | call to desEncryptor |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:308:5:308:19 | call to doDesEncryption | call to doDesEncryption |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:309:9:309:23 | call to doDesEncryption | call to doDesEncryption |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:403:26:403:45 | call to getEncryptionNameDES | call to doEncryption |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | invocation of macro ENCRYPT_WITH_DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | invocation of macro ENCRYPT_WITH_RC2 |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | invocation of macro ENCRYPT_WITH_3DES |
@@ -21,5 +24,3 @@
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:91:2:91:12 | call to encrypt3DES | call to encrypt3DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:92:2:92:17 | call to encryptTripleDES | call to encryptTripleDES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:101:2:101:15 | call to do_des_encrypt | call to do_des_encrypt |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:102:2:102:12 | call to DES_Set_Key | call to DES_Set_Key |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:121:2:121:24 | INIT_ENCRYPT_WITH_DES() | invocation of macro INIT_ENCRYPT_WITH_DES |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -99,7 +99,7 @@ void test_functions(void *data, size_t amount, const char *str)
 	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
 	encryptDes(data, amount); // BAD [NOT DETECTED]
 	do_des_encrypt(data, amount); // BAD
-	DES_Set_Key(str); // BAD
+	DES_Set_Key(str); // BAD [NOT DETECTED]
 	DESSetKey(str); // BAD [NOT DETECTED]

 	Des(); // GOOD (probably nothing to do with encryption)
@@ -118,7 +118,7 @@ void my_implementation8();

 void test_macros2()
 {
-	INIT_ENCRYPT_WITH_DES(); // BAD
+	INIT_ENCRYPT_WITH_DES(); // BAD [NOT DETECTED]
 	INIT_ENCRYPT_WITH_AES(); // GOOD (good algorithm)
 	
 	// ...
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -58,8 +58,12 @@ void encrypt_bad(char *data, size_t amount, keytype key, int algo)

 void do_encrypts(char *data, size_t amount, keytype key)
 {
+	char data2[128];
+
 	encrypt_good(data, amount, key, ALGO_AES); // GOOD
 	encrypt_bad(data, amount, key, ALGO_DES); // BAD
+	encrypt_good(data2, 128, key, ALGO_AES); // GOOD
+	encrypt_bad(data2, 128, key, ALGO_DES); // BAD
 }

 // --- more involved CPP-style example ---
@@ -169,10 +173,10 @@ const char *get_algorithm3();

 void do_unseen_encrypts(char *data, size_t amount, keytype key)
 {
-	set_encryption_algorithm1(ALGO_DES); // BAD
+	set_encryption_algorithm1(ALGO_DES); // BAD [NOT DETECTED]
 	set_encryption_algorithm1(ALGO_AES); // GOOD

-	set_encryption_algorithm2(USE_DES); // BAD
+	set_encryption_algorithm2(USE_DES); // BAD [NOT DETECTED]
 	set_encryption_algorithm2(USE_AES); // GOOD

 	set_encryption_algorithm3("DES"); // BAD [NOT DETECTED]
@@ -208,32 +212,32 @@ void do_unseen_encrypts(char *data, size_t amount, keytype key)
 class desEncrypt
 {
 public:
-	static void encrypt(const char *data);
+	static void encrypt(char *data);
 	static void doSomethingElse();
 };

 class aes256Encrypt
 {
 public:
-	static void encrypt(const char *data);
+	static void encrypt(char *data);
 	static void doSomethingElse();
 };

 class desCipher
 {
 public:
-	void encrypt(const char *data);
+	void encrypt(char *data);
 	void doSomethingElse();
 };

 class aesCipher
 {
 public:
-	void encrypt(const char *data);
+	void encrypt(char *data);
 	void doSomethingElse();
 };

-void do_classes(const char *data)
+void do_classes(char *data)
 {
 	desEncrypt::encrypt(data); // BAD
 	aes256Encrypt::encrypt(data); // GOOD
@@ -260,3 +264,142 @@ void do_fn_ptr(char *data, size_t amount, keytype key)
 	impl = &my_aes_implementation; // GOOD
 	impl(data, amount, key);
 }
+
+// --- template classes ---
+
+class desEncryptor
+{
+public:
+	desEncryptor();
+
+	void doDesEncryption(char *data);
+};
+
+template <class C>
+class container
+{
+public:
+	container() {
+		obj = new C(); // GOOD
+	}
+
+	~container() {
+		delete obj;
+	}
+
+	C *obj;
+};
+
+template <class C>
+class templateDesEncryptor
+{
+public:
+	templateDesEncryptor();
+
+	void doDesEncryption(C &data);
+};
+
+void do_template_classes(char *data)
+{
+	desEncryptor *p = new desEncryptor(); // BAD
+	container<desEncryptor> c; // BAD [NOT DETECTED]
+	templateDesEncryptor<char *> t; // BAD [NOT DETECTED]
+
+	p->doDesEncryption(data); // BAD
+	c.obj->doDesEncryption(data); // BAD
+	t.doDesEncryption(data); // BAD [NOT DETECTED]
+}
+
+// --- assert ---
+
+int assertFunc(const char *file, int line);
+#define assert(_cond) ((_cond) || assertFunc(__FILE__, __LINE__))
+
+struct algorithmInfo;
+
+const algorithmInfo *getEncryptionAlgorithmInfo(int algo);
+
+void test_assert(int algo, algorithmInfo *algoInfo)
+{
+	assert(algo != ALGO_DES); // GOOD
+	assert(algoInfo != getEncryptionAlgorithmInfo(ALGO_DES)); // GOOD
+
+	// ...
+}
+
+// --- string comparisons ---
+
+int strcmp(const char *s1, const char *s2);
+void abort(void);
+
+#define ENCRYPTION_DES_NAME "DES"
+#define ENCRYPTION_AES_NAME "AES"
+
+void test_string_comparisons1(const char *algo_name)
+{
+	if (strcmp(algo_name, ENCRYPTION_DES_NAME) == 0) // GOOD
+	{
+		abort();
+	}
+	if (strcmp(algo_name, ENCRYPTION_AES_NAME) == 0) // GOOD
+	{
+		// ...
+	}
+}
+
+const char *getEncryptionNameDES()
+{
+	return "DES";
+}
+
+const char *getEncryptionNameAES()
+{
+	return "AES";
+}
+
+void test_string_comparisons2(const char *algo_name)
+{
+	if (strcmp(algo_name, getEncryptionNameDES()) == 0) // GOOD
+	{
+		abort();
+	}
+	if (strcmp(algo_name, getEncryptionNameAES()) == 0) // GOOD
+	{
+		// ...
+	}
+}
+
+const char *getEncryptionName(int algo)
+{
+	switch (algo)
+	{
+	case ALGO_DES:
+		return getEncryptionNameDES(); // GOOD
+	case ALGO_AES:
+		return getEncryptionNameAES(); // GOOD
+	default:
+		abort();
+	}
+}
+
+void test_string_comparisons3(const char *algo_name)
+{
+	if (strcmp(algo_name, getEncryptionName(ALGO_DES)) == 0) // GOOD
+	{
+		abort();
+	}
+	if (strcmp(algo_name, getEncryptionName(ALGO_AES)) == 0) // GOOD
+	{
+		// ...
+	}
+}
+
+// --- function call in a function call ---
+
+void doEncryption(char *data, size_t len, const char *algorithmName);
+
+void test_fn_in_fn(char *data, size_t len)
+{
+	doEncryption(data, len, getEncryptionNameDES()); // BAD
+	doEncryption(data, len, getEncryptionNameAES()); // GOOD
+}
--- a/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
+++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
@@ -1 +1 @@
-| 93 |
+| 96 |
--- a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected
+++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected
@@ -0,0 +1 @@
+| 93 |
--- a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref
+++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfUserCode.ql
--- a/cpp/ql/test/query-tests/Summary/generated-file.cpp
+++ b/cpp/ql/test/query-tests/Summary/generated-file.cpp
@@ -0,0 +1,12 @@
+/**
+ * This file is generated by abc.xyz.  Do not edit!
+ *
+ * (except that this isn't really a generated file, but the above is the typical sort of comment
+ *  you see at the beginning of a true generated file).
+ */
+
+int generated_function() {
+	// ...
+
+	return 1;
+}